fb9db8f382bd7ec0440806950366e555ef79d327bf4608b924e7980723499890

General

Target

z8246341.exe
Size

325KB
MD5

012e5510dd4e65c0abff8c52ed819a78
SHA1

fb5eed262000dabb42a2356568fb8f5a0aefcd73
SHA256

fb9db8f382bd7ec0440806950366e555ef79d327bf4608b924e7980723499890
SHA512

8fa9cc0b8b980585213c1f1fb3371a996086fec9b45aec8d0a74fe3235e9e92968cb82d8d8f74a5d61aac404adf4f6421ddec3627531d2d2420cb3edfc318bbb
SSDEEP

6144:KSy+bnr+pp0yN90QE7wrqnDMxPzT2hn1RNecbr7IUdXV:qMr9y90sqn4BTSznDIUT

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	q3215306.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	q3215306.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	q3215306.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	q3215306.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	q3215306.exe

Executes dropped EXE 2 IoCs

pid	Process
4268	q3215306.exe
5076	r5543521.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	q3215306.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	q3215306.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	z8246341.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4268	q3215306.exe
4268	q3215306.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4268	q3215306.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1632 wrote to memory of 4268	1632	z8246341.exe	70
PID 1632 wrote to memory of 4268	1632	z8246341.exe	70
PID 1632 wrote to memory of 4268	1632	z8246341.exe	70
PID 1632 wrote to memory of 5076	1632	z8246341.exe	71
PID 1632 wrote to memory of 5076	1632	z8246341.exe	71
PID 1632 wrote to memory of 5076	1632	z8246341.exe	71

C:\Users\Admin\AppData\Local\Temp\z8246341.exe
"C:\Users\Admin\AppData\Local\Temp\z8246341.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q3215306.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q3215306.exe
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4268
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r5543521.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r5543521.exe
  2⤵
  - Executes dropped EXE
  PID:5076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

2

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q3215306.exe

Filesize
184KB

MD5
7868bdf1097be0b3e6abaaa809a96d9c

SHA1
a565e5ba9745f48d4791126bd9f6eaffcb0f5f7a

SHA256
2ab6209ffe3cde29adf1f70d9ac0afa462d07ff9ac9a2481f090a6cc80803d43

SHA512
afc83cc82aa7418becb58d3340ca3b97d1408a2852c09cc38de938735cec5fcca291764ca6bc54e9379ad640f3191218ccd75c645e43b1bab20780b7ef82fd05

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\q3215306.exe

Filesize
184KB

MD5
7868bdf1097be0b3e6abaaa809a96d9c

SHA1
a565e5ba9745f48d4791126bd9f6eaffcb0f5f7a

SHA256
2ab6209ffe3cde29adf1f70d9ac0afa462d07ff9ac9a2481f090a6cc80803d43

SHA512
afc83cc82aa7418becb58d3340ca3b97d1408a2852c09cc38de938735cec5fcca291764ca6bc54e9379ad640f3191218ccd75c645e43b1bab20780b7ef82fd05

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r5543521.exe

Filesize
141KB

MD5
df1a54b0ce9f42275a825eeb5daef830

SHA1
7a1e2b07e77caaee421d44173ecfd578cdd57d99

SHA256
4727a2e6a30bebebfaaa5560ba8aaee5a6aaf54e66822b37088be97bc07e0f40

SHA512
2ede071911b1c3355671bc120c7fbbab7bba3303f9458d80e8d0deeba9ad03fc7d3f474210a49bdff7e493bc4599afd5ee60e308f2e4df889522353c702b9ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\r5543521.exe

Filesize
141KB

MD5
df1a54b0ce9f42275a825eeb5daef830

SHA1
7a1e2b07e77caaee421d44173ecfd578cdd57d99

SHA256
4727a2e6a30bebebfaaa5560ba8aaee5a6aaf54e66822b37088be97bc07e0f40

SHA512
2ede071911b1c3355671bc120c7fbbab7bba3303f9458d80e8d0deeba9ad03fc7d3f474210a49bdff7e493bc4599afd5ee60e308f2e4df889522353c702b9ad5

Download Submit
memory/4268-22-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/4268-28-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/4268-11-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/4268-12-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/4268-14-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/4268-16-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/4268-18-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/4268-20-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/4268-9-0x0000000004AB0000-0x0000000004FAE000-memory.dmp

Filesize
5.0MB

Download
memory/4268-24-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/4268-26-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/4268-10-0x0000000004930000-0x000000000494C000-memory.dmp

Filesize
112KB

Download
memory/4268-32-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/4268-30-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/4268-34-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/4268-36-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/4268-38-0x0000000004930000-0x0000000004946000-memory.dmp

Filesize
88KB

Download
memory/4268-39-0x0000000072EA0000-0x000000007358E000-memory.dmp

Filesize
6.9MB

Download
memory/4268-41-0x0000000072EA0000-0x000000007358E000-memory.dmp

Filesize
6.9MB

Download
memory/4268-8-0x0000000072EA0000-0x000000007358E000-memory.dmp

Filesize
6.9MB

Download
memory/4268-7-0x0000000002030000-0x000000000204E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads